Unofficial news and tips about Google

April 18, 2011

Java and QuickTime Require Permission in Google Chrome

Last year, Chrome's team promised to add some features that improve plug-in security. One of them is already included in the latest dev builds: "some plug-ins are widely installed but typically not required for today's Internet experience. For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition."

Two of the plug-ins that require permission every time you visit a site that uses them are Oracle's Java and Apple's QuickTime. The two plug-ins are enabled by default, but you need to click "Run this time" or "Always run on this site" to load the full content of the page. You can manually whitelist domains, but there's no way to disable the infobar.

While not many sites use these plug-ins, it's surprising to see that Chrome requires permission before loading Java or QuickTime content, even if you've updated to the latest version of the plug-in. The infobar warning is annoying, some users might ignore it, while others could think that the page tries to install malicious software.

"The reason is to protect the (estimated 90% - 95%) of internet users who do not ever need to instantiate various lesser-used plug-ins. Remember that you just have to press a single button on the sites that you trust to run Java. And then you're done. In fact you're much better than done: you've limited your exposure to Java security vulnerabilities such that a drive-by malware Java ad won't automatically run. I encourage you to read about the evolution of drive-by downloads and pay particular attention to how Java is being used in a lot of current attacks, even when it is fully up to date," explains a Chrome engineer.

An article from November 2010 informs that "a Java exploit has replaced exploits of PDF file weaknesses to become the most common threat, according to G Data SecurityLabs. Java vulnerabilities offer cyber criminals a lot of potential on the technical side, said researchers, and the development and distribution of malicious code is considerably easier than other methods of infecting a system. Topping the list is Java.Trojan.Exploit.Bytverify.N, which exploits a security hole in Java's byte code verifier. Using this exploit allows the execution of malicious code which could enable an attacker to gain control over a victim's system. This trojan is typically found on hacked websites, where it attempts to infect PCs through drive-by download through a manipulated Java applet, researchers said. Just visiting an infected website with an unprotected computer will be enough to infect a system." G Data expects "a significant rise in the number of Java-based malware in the coming months".